hi, After just 3 login attempts a user's account is locked by Archiva, which is quite bad if a whole team including continuous integration servers uses the same account. (using the same account because I can't setup a security role which includes several repositories and assign that role to a user)
I think you should just add an exponentially growing timeout after each failed attempt per source ip or at least make security options configurable from the frontend. For our internal/firewalled archiva this sort of thing is a bit of over kill. I finally found out how to convince archiva to be more lenient. ( http://amanica.blogspot.com/2010/03/how-to-make-archiva-less-paranoid-about.html ) I saw that you are considering a different security provider, but it looks quite far off, so I just thought I'd give you some feedback in the meantime. -- <>< Marius ><>
